Sarbanes-Oxley Compliance and Wireless LAN ... - AirTight Networks
Sarbanes-Oxley Compliance and Wireless LAN ... - AirTight Networks
Sarbanes-Oxley Compliance and Wireless LAN ... - AirTight Networks
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>AirTight</strong> <strong>Networks</strong><br />
WHITEPAPER<br />
<strong>Sarbanes</strong>-<strong>Oxley</strong> <strong>Compliance</strong> <strong>and</strong> <strong>Wireless</strong> <strong>LAN</strong> Security<br />
with mutual authentication based on IEEE 802.1x between the client <strong>and</strong> the network.<br />
Proven Interoperability with a WPA2 or WPA-compliant RADIUS Server<br />
RADIUS servers such as Cisco ACS, Funk Software Odyssey <strong>and</strong> Meetinghouse AEGIS<br />
provide the back-end authorization capabilities for users trying to access the wireless<br />
network. They also provide a method which allows for auditing the users accessing the<br />
network.<br />
Support for Multiple V<strong>LAN</strong>s with Independent Security Settings<br />
Many different types of users may need to access the wireless <strong>LAN</strong> network. Order<br />
administrators require access to the order entry <strong>and</strong> shipping systems. Accounting <strong>and</strong><br />
finance staff require access to accounts receivable <strong>and</strong> payable as well as other financial<br />
systems. Marketing <strong>and</strong> sales teams may require access to sales performance data. Virtual<br />
<strong>LAN</strong>S (V<strong>LAN</strong>S) allow each authorized wireless <strong>LAN</strong> user to gain entry to only the network<br />
resources they need to access. In addition, many corporations may use barcode scanners<br />
for inventory tracking or in shipping <strong>and</strong> receiving. These types of devices often do not<br />
support today’s WPA2 or WPA security, but the less secure WEP encryption. They too can<br />
be segregated on a specific V<strong>LAN</strong> which only allows access to the specific database or<br />
application they are associated with. This, along with frequent encryption key changes<br />
<strong>and</strong> MAC address control lists, mitigates potential security risks.<br />
Password Protection <strong>and</strong> Secure Management Interfaces<br />
The wireless <strong>LAN</strong> system should support secure, authenticated methods of management.<br />
Reconfiguring the access point through the management port is one method a malicious<br />
hacker might try to access the corporate network. <strong>Wireless</strong> <strong>LAN</strong> systems should provide<br />
SNMPv3, SSH (secure Web), <strong>and</strong> SSL (secure Telnet) interfaces. Furthermore, the system<br />
should be configurable such that management is not possible over-the-air, <strong>and</strong> ideally a<br />
management V<strong>LAN</strong> is available such that only stations on a specific V<strong>LAN</strong> can modify the<br />
W<strong>LAN</strong> network settings.<br />
Intrusion Detection <strong>and</strong> Prevention<br />
<strong>Wireless</strong> intrusion detection is a limited capability of some wireless <strong>LAN</strong> systems. Only<br />
recently have wireless <strong>LAN</strong> systems been advertising the ability to detect other wireless<br />
activity <strong>and</strong> report it. Most systems simply detect the intrusion, but do not have any<br />
means to automatically prevent it. In a large enterprise environment with many hundreds<br />
of Wi-Fi devices, <strong>and</strong> with possible neighboring Wi-Fi networks, the IT organization can be<br />
overwhelmed with false alerts <strong>and</strong> miss the real security issues.<br />
More importantly, it is important to underst<strong>and</strong> the implication of the infrastructure itself<br />
© 2012 <strong>AirTight</strong> <strong>Networks</strong>, Inc. All rights reserved. 4